These changes seem like an excellent step. But it's worth noting that even under the new proposal Aaron would have likely run afoul of the "access without authorization" component. I'm also not sure the new language around repeat offenders would have made a difference given the plea bargain, but I could imagine it would have made the maximum sentence sound less scary.
In addition to the two changes listed by Ars Technica, there's another tweak making it clear that the court should consider the "fair market" value of the information, which I guess for JSTOR would have still looked quite high.
I've argued till I've become blue in the face about this and I guess I'm a glutton for punishment so I'll ask it again: exactly where in the facts do you think authorization was missing?
MIT allows a level of access on it's networks that people not on MIT have trouble understanding, it's not what you or I (assuming you're not from MIT) would think of on other campuses and certainly not in the private sector
Second, you can't have your cake and eat it too. You can't have an unusually open access system in place, one that allows any and all visitors to come on with any email they wish, but then think that blocking an IP means you can call it a day, authorization over. That makes no sense. If he uses a new address, he gets authorization again. If he gets a new MAC address he gets authorization again. Sadly, I think for MIT to remove authorization they would have to be less open, they would have to actually change policies for signing up to campus networks.
And don't get me started on the unlocked, well grafitti'd closet...
> Second, you can't have your cake and eat it too. You can't have an unusually open access system in place, one that allows any and all visitors to come on with any email they wish, but then think that blocking an IP means you can call it a day, authorization over.
When it's their private property, they can have their cake and eat it too. I can let everyone in town into my living room but capriciously disallow you one day because I realize you have attached earlobes. That's just how license works.
The only consideration is notice. Does blocking a MAC address reasonably signal to the user that their consent was revoked, either objectively or in actual fact? I think you'd have a hard time arguing that Aaron, being very technically savvy, didn't realize that MIT was trying to kick him off its network.
> When it's their private property, they can have their cake and eat it too. I can let everyone in town into my living room but capriciously disallow you one day because I realize you have attached earlobes. That's just how license works.
And if I come back wearing prosthetic ears, is that a felony?
I can let everyone in town into my living room but capriciously disallow you one day because I realize you have attached earlobes. That's just how license works.
No, it isn't, and it isn't how property law works, either. Free and equal access to private property has been bandied about for decades, and leans away from your interpretation.
What do you mean? As far as I am aware, you only need to ask somebody to leave your property, and if they don't leave then the police will come and take them away for you.
> Free and equal access to private property has been bandied about for decades
There is no such thing unless the property is something like a restaurant or hotel and you discriminate based on a protected characteristic (race, mostly).
The law is mostly about the general rules. Legal analysis tends to be about edge cases, only because those tend to be the ones that are interesting to fight about. The general rule is that you can pretty much arbitrarily revoke license to use your private property.
Vis-a-vis beach access: the exception arises in that context because the waters of a state and all submerged land and land up to the mean high tide line are public property. Thus, while you remain free to revoke license to use your property arbitrarily, you can't use that to unfairly monopolize access to public property.
You're the one who is reaching, by bringing up very specific exceptions (Civil Rights Act Title II) exceptions to the general right to exclude on private property. That's one of the most fundamental aspects of private property: the right to exclude.
What do you mean "the kind of private property"? Private property is private property. MIT is a private university and its campus buildings and its campus network is private property.
The fact that it's an educational institution doesn't make its property any less private. IIRC, the fact that MIT is engaged in interstate commerce with the public brings it within the domain of the Civil Rights Act of 1964 and the Americans with Disabilities Act of 1990, but those laws carry only very specific limitations: MIT can't refuse someone access solely based on their: race, color, religion, or national origin, and must make reasonable accommodations for people with disabilities. Those regulations on the use of MIT's private property don't make the property any less private than any other such regulations, nor do they in any way prejudice MIT's rights to control access to their property for any other reason.
You can't mix up "public property" with "private property of a public entity." The former is something like a river--it's public property and you're entitled to swim in it and cannot be excluded arbitrarily. But the latter is the same as private property in any other hands. To the extent that anything would change (and I don't think anything would), it would not be because the property rights are in any way different, but because the actions of public universities are "government action" and might be constrained for other reasons.
There is no level of authorization that would allow him to go into a network closet (regardless of easy access) and setup his laptop to do what he did. Apparenly you are in the minority. When his IP and/or MAC was blocked it was because of un-authorized usage of the network. When he actively circumvented that, it was an illegal act.
I would also argue that Aaron KNEW he was not authorized to do what he did the moment he stepped into that network closet.
I was thinking the same thing. I am one of those in the middle that believe Aaron broke the law but was being over prosecuted. Perhaps if facing a much lesser punishment, Aaron would have stood by his cause instead of checking out.
(I think the law is a step forward, though I don't think it does enough to mitigate the real problem with CFAA, which is that sentences under CFAA scale with dollar damages. The bit about making it harder to "accelerate" CFAA crimes when they're done in furtherance of crimes that are also CFAA crimes is also very important, but doesn't address the core flaw of the statute.)
Have you stopped to think about the fact of enforcing the CFAA so harshly against private citizens (e.g. downloading too many JSTOR articles), while their government boasts about hacking into the critical network infrastructure of other countries? Something doesn't seem right. Wild west, but global, I guess.
> The proposed definition … is to obtain information … by knowingly circumventing technological or physical measures designed to prevent unauthorized individuals from obtaining that information.
suggests that, in that context, the debate would be whether a certain URL structure implies a legitimate attempt at securing content, rather than just being a side-effect of website structure/design.
Would it be unreasonable to argue that blatant disregard for security due-dilligence or just 'bad' security is not an honest attempt at the same, and thus equivalent to no security at all?
In addition to the two changes listed by Ars Technica, there's another tweak making it clear that the court should consider the "fair market" value of the information, which I guess for JSTOR would have still looked quite high.